What Separates the Hacks and the Hack-Nots—Cyber Saturday

In the latest issue of Fortune, which features our Global 500 list, I penned an essay about whether American corporations are equipped to defend themselves in cyberspace. Perhaps surprisingly, the answer to that question increasingly appears to be, "Yes." At least that's according to the experts I consulted. In lieu of a newsletter column today, below is an excerpt from that piece.

Attend any cybersecurity confab, and you’ll encounter some version of the following refrain. "There are two types of companies in this world: those that have been hacked and those that don’t yet know they’ve been hacked."

The phrase that launched a thousand quips was coined by Dmitri Alperovitch, a Moscow-born entrepreneur and one of the world’s foremost hacker-sleuths. In 2011, as head threat researcher at antivirus pioneer McAfee, he created the classification while investigating—and publicly revealing—half a decade’s worth of (likely Chinese) cyber­attacks on more than 70 organizations, including defense contractors, tech companies, and the United Nations.

Now the huff of resignation is due for an update. "I’ve since modified that phrase," Alperovitch tells Fortune. "The first two companies still exist, but now there’s a third type that’s able to successfully defend itself against intrusion." Ah, hope yet!

One could write off Alperovitch’s addendum as a savvy sales pitch. As the cofounder and chief technology officer of CrowdStrike, a cybersecurity company that stunned investors with a share price–popping IPO in June, there’s no wonder he’s feeling a bit of good cheer.

But there’s something to Alperovitch’s revision. Richard A. Clarke, former White House security adviser to both Bushes and to Clinton, agrees with the new, tripartite framing. He says as much in his just-published book, coauthored with Obama cyber lead Robert K. Knake, The Fifth Domain—a reference to cyber as the newest theater of war, after land, sea, air, and space.

Consider NotPetya. The devastatingly global computer-wiping attack, which Russia released on the world in 2017, caused billions of dollars of damage to corporations such as FedEx, Maersk, and Merck.

But not all firms succumbed. "What you don’t hear about is the list of American companies that were there doing business in Ukraine”—ground zero for the attack—"that didn’t get damaged," Clarke says. Firms like Boeing, DowDuPont, and Johnson & Johnson "were the dogs that didn’t bark, and in our book, we tried to figure out why."

So, what separates the hacks from the hack-nots? At a technical level, the unharmed firms had patched their machines against the vulnerability exploited by NotPetya. But a more fundamental question is, Why did some companies patch, while others neglected to?

In a word: prioritization. The most resilient organizations have buy-in across the—literal—board. Any executive who blocks a chief information security officer better have a damn good reason. Else the CEO will surely hear about it.

THREATS

From Russia With Love. In 2016 Russia targeted election systems in all 50 states, the Senate Intelligence Committee has concluded in a new report. Despite this and recent warnings from special counsel Robert Mueller about attempted interference in the next presidential race, Senate Majority Leader Mitch McConnell is blocking two election security bills that would provide $775 million in grants for states to secure their voting systems. Newsweek reports that McConnell has been receiving campaign donations from top voting machine lobbyists, while the Washington Post has gone so far as to label McConnell “a Russian asset” for standing in the way of greater protections.

An Apple a day. A whistleblower working for Apple has told the Guardian that contractors tasked with grading quality control for Siri, the company’s voice assistant, regularly hear people’s sensitive information. “There have been countless instances of recordings featuring private discussions between doctors and patients, business deals, seemingly criminal dealings, sexual encounters and so on,” the source said, noting that the recordings also show location, contact details, and app data. The whistleblower believes Apple should offer consumers more clear data privacy policy disclosures.

Passing the bar. U.S. Attorney General William Barr gave a keynote speech about the threat of “warrant-proof” encrypted communications at the International Conference on Cyber Security at Fordham University this week. “We must ensure that we retain society’s ability to gain lawful access to data and communications when needed to respond to criminal activity,” he said. Cybersecurity experts warn that any legally mandated backdoor will be unavoidably abused by hackers and spies.

Off the hook. Marcus Hutchins, better known by his online alias “MalwareTech,” the so-called accidental hero who stopped a global ransomware infection called WannaCry from spreading in 2017, has been sentenced to one year of supervised release on charges of developing and selling banking malware. When I wrote about his case in April, I argued that Hutchins should receive a light sentencing to be further reduced through public service. I’m glad to see the justice system recognize Huthins’ unusual talents. As the judge said, per TechCrunch, It’s going to take people like Hutchins “to eliminate this entire subject of the woefully inadequate security protocols.”

Go claim your $125 from Equifax. Right now. Even if $125 isn’t a sum of money that matters to you, even if you don’t feel you were really directly affected by the breach. Even if the prospect of filling out a relatively brief online form fills you with more dread than the theft of all your personal data.

Consider it a part of your civic duty: driving up the costs of data breaches for corporations so they have an incentive to invest more heavily in security. The payouts to individuals are part of the $575 to $700 million settlement that Equifax reached with the Federal Trade Commission, the Consumer Financial Protection Bureau, and 48 states. (Indiana and Massachusetts are still pursuing their own lawsuits against Equifax.)

ONE MORE THING

Starting over. Let us not forget how data breaches affect lives. A couple who adopted a child had to relocate and change their names after their personal information was accidentally leaked to the birth parents, reports the Hackney Gazette, a local British newspaper. The family received £106,000 for its troubles.